Severity: High
1 May, 2007
Summary:
Today, Apple released an update that fixes a zero day security vulnerability in Quicktime 7.1.5 (and earlier versions) for Windows and OS X. By enticing one of your users into visiting a malicious web page, an attacker can exploit this vulnerability to execute arbitrary code on your user’s computer, possibly gaining control of it. If you allow Quicktime or iTunes in your network, or suspect that users have installed them, you should recommend that users either remove the applications or upgrade to version 7.1.6.
Exposure:
Today, Apple released an alert describing a security vulnerability in Apple’s popular media player application, Quicktime 7.1.5 (and possibly earlier versions). Current versions of iTunes also ship with Quicktime. If your users have iTunes, they most likely have Quicktime.
We originally reported this vulnerability in April, on WatchGuard Wire. Security researchers Shane Macaulay and Dino Dai Zovi discovered the flaw, then exploited it to break into a Macbook at a hacking contest. The flaw involves the way Quicktime implements Java. If an attacker can trick one of your users into visiting a web page containing a specially crafted Java applet, she can exploit this vulnerability to execute arbitrary code on that user’s computer. Depending on the user’s privileges, the attacker could gain full control of that user’s machine.
Today’s update corrects Dino Dai Zovi’s previously unpatched Quicktime flaw, but it doesn’t fix the remaining zero day Quicktime vulnerabilities we reported in our alert last week. Have your Quicktime and iTunes users upgrade to version 7.1.6, but make sure they continue to follow the workarounds from our previous alert so they don’t get “pwned” by one of the remaining zero day exploits.
Solution Path:
Quicktime version 7.1.6 corrects this vulnerability. If you allow (or suspect that users have installed) Quicktime or iTunes in your network, recommend that users either remove the applications or upgrade to version 7.1.6.
The latest versions of Quicktime and iTunes for Windows ship with Apple Software Update. Apple Software Update automatically detects updates such as this one for Quicktime and informs you, so that you can install the update as soon as possible. If you choose to allow Quicktime or iTunes in your network, we recommend you set Apple Software Update to check for new updates daily and allow it to assist you in keeping your Apple software current.
Note: By default, Apple ships Quicktime combined with iTunes. If you do not want iTunes, download the standalone version of Quicktime.
For All WatchGuard Users:
This attack relies on Java to succeed. Some of WatchGuard’s Firebox models allow you to block Java, which prevents this type of attack from working. However, blocking Java could also prevent many legitimate web sites from working. Instead, you should recommend that users either remove Quicktime and iTunes, or upgrade to version 7.1.6.
Status:
Apple released Quicktime 7.1.6, which fixes this issue.
Posted by bardissi 